[Patch] Allow specifiying the guid for NTDS Settings

Andrew Bartlett abartlet at samba.org
Sat Sep 19 11:26:50 MDT 2009 

On Sat, 2009-09-19 at 01:10 +0400, Matthieu Patou wrote:
> On 09/19/2009 12:58 AM, Stefan (metze) Metzmacher wrote:
> > Matthieu Patou schrieb:
> >> On 09/19/2009 12:40 AM, Matthieu Patou wrote:
> >>> On 09/19/2009 12:21 AM, Andrew Bartlett wrote:
> >>>> On Sat, 2009-09-19 at 00:11 +0400, Matthieu Patou wrote:
> >>>>> Hello,
> >>>>>
> >>>>> This patch allow to specify on the command line the GUID of the object
> >>>>> NTDS Settings for the selfjoined DC.
> >>>> I really don't like the idea of changing the objectGUID. If you need to
> >>>> set it to a particular value, then do so during the 'add' process.
> >>>>
> >>> Note: I usually do not try to innovate and try to do as it is done
> >>> already (ie. for domainguid is the same script).
> >>>
> >>> Although it's not a problem for me to do in one or in another way
> >>>> That may require that we set a control to allow it (if another module
> >>>> would prevent it).
> >> In deed:
> >>
> >> Traceback (most recent call last):
> >>    File "./setup/provision", line 201, in<module>
> >>      ldap_dryrun_mode=opts.ldap_dryrun_mode)
> >>    File "bin/python/samba/provision.py", line 1187, in provision
> >>      serverrole=serverrole,ntdsguid=ntdsguid,ldap_backend=provision_backend)
> >>    File "bin/python/samba/provision.py", line 1005, in setup_samdb
> >>
> >> domainControllerFunctionality=domainControllerFunctionality,ntdsguid=ntdsguid)
> >>
> >>    File "bin/python/samba/provision.py", line 790, in setup_self_join
> >>      "DOMAIN_CONTROLLER_FUNCTIONALITY": str(domainControllerFunctionality)})
> >>    File "bin/python/samba/provision.py", line 262, in setup_add_ldif
> >>      ldb.add_ldif(data)
> >>    File "bin/python/samba/__init__.py", line 244, in add_ldif
> >>      self.add(msg)
> >> _ldb.LdbError: (53, "replmd_add: it's not allowed to add an object with
> >> objectGUID\n")
> >
> > We also need to make sure we add code to replmd_modify to reject
> > objectGUID changes...
> >
> If this is done like this it will break the current provision as system 
> when specifying --domain-guid as for this the provision is already using 
> the trick of replacing the GUID ....

No - the difference here is between add and modify.  It is (mostly) safe
to choose a GUID at add time, if you have a very good reason, but very
unsafe to change a GUID later (we embed it into linked attributes and
replication messages for example)

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20090919/9062fb24/attachment.pgp>

More information about the samba-technical mailing list